Have companies deleted your data?
Over one month ago, Privacy International filed complaints concerning seven data brokers, ad-tech companies, and credit referencing agencies with data protection authorities across Europe. The companies named in the complaints are Acxiom, Criteo, Equifax, Experian, Oracle, Quantcast, and Tapad.
The submissions set out the myriad of ways in which these companies fall short of what is required by data protection laws in the European Union and called on the data protection authorities to investigate these companies and the sectors in which they operate in order to protect individuals from the mass exploitation of their data.
The same day, we launched a campaign seeking to make it easier for you to demand these companies delete the data they have collected and have about you. GDPR requires companies to respond within one month, therefore for those of you that participated in this campaign (depending on the date you submitted your requests), the deadline has either passed on is fast approaching. With this in mind, we felt it important to reflect on the difficulties in effectively exercising this right. We hope that the more people exercise their rights in relation to their personal data, the more it pushes companies to improve the way in which they manage and respond. Meanwhile Privacy International will continue to consider options and next steps towards ensuring that people’s rights are respected.
To date we have found the process of asking the companies to delete our data frustrating; the companies often tried to come up with excuses for not deleting our data or sought to make it a complicated process.
The ad-tech companies Criteo, Quantcast, and Tapad responded to our requests with 1) long explanations about the benefits of digital tracking, 2) assurances that the companies do not collect data that can be used to identify us, and 3) that it was super easy to opt out.
Because Criteo, Quantcast, and Tapad's tracking and subsequent advertising is cookie dependent, the companies were only able to tell us to deactivate their tracking cookies - which meant that we had to accept their cookies and turn off our privacy friendly settings! For reasons of privacy and security, it is often recommended that people frequently delete their browser cookies, which are bits of code that can do a variety of things, including track your browsing habits for advertising purposes. However, in Criteo's response to our request they said that deleting your cookies may result in the reactivation of Criteo's tracking your browsing habits, meaning that these companies appear to be unable to permanently stop tracking people, even when those people have withdrawn (or have never given) their consent.
Classical data brokers, such as Acxiom, use data such as your post code and address (combined with other identifiers) to identify and profile you. They appear not to offer a way to completely delete your data from their databases or from third-parties with which they have shared or sold your data, but rather they "supress" your data. What suppression looks like for companies like Acxiom is not clear (do they also "supress" the data they've already shared or sold?) but is generally understood to mean that they keep your data but no longer use, share, or sell it. However, even where a company does not have your address you may profiled (categorised and segmented) based on online identifiers (such as cookies), as with Oracle. As explained above, this solution is far from satisfactory as they ask you to accept cookies to implement it.
Credit reference agencies, including Equifax and Experian, have been imbedded into our societies and may be instrumental in our access to credit, such as a mortgage or a credit card. However, these companies also have marketing products and services, where they profile and provide insights on us - this is the data we are asking to be deleted. They normally associate data with you based on your name and address, but that's not the only data they hold. We found it hard to get straight answers from these companies that they have actually deleted marketing data, including profiles, relating to us.
Another person who sent deletion requests had a similarly frustrating experience. They told us that they sent requests to six of the companies, and that they found the decentralised nature of the process, with each company having its own internal operating procedures convoluted and oftentimes unclear. They said that one company responded within minutes to deny their request to delete their data, stating in the company’s template response that they do not respond to emails motivated by a letter writing campaign.
They also said that another company asked that they mail the company a certified copy of their passport so that they could first authenticate their identity. Another company said it had a “legitimate interest” in retaining their information and denied their request.
Another company claimed they could not find any records pertaining to the requester, but after the requester followed up to dispute that, they conceded they did have their personal information and said they would delete it.
Two companies did not respond at all to the requester.
Overall, the requester said they found the process to be cumbersome and thought many barriers were put in place with the sole intention of trying to exhaust them so that they would not follow through with their request.
Finally, the requester told PI that we should all be entitled to a reasonable baseline of respect — the onus should not be on individuals to persuade companies to respect our collective rights.
Privacy International agrees whole heartedly, the protection of personal data is a fundamental right and it is essential to the enjoyment of this right and other fundamental rights, that the specific rights that individuals have in relation to their personal data are workable and respected in practice.
Privacy International looks forward to continuing to challenge these companies’ mass data exploitation in 2019.